QRadar Generic

The QRadar Generic playbook is executed for the QRadar Generic incident type. It performs all the common parts of the investigation, including notifying the SOC, enriching data for indicators and users, calculating severity, assigning incidents, and notifying the SIEM admin about false positives.

IBM QRadar · 37 tasks · 16 inputs · 0 outputs

Inputs

  • Enrich — Determines whether to enrich all indicators in the incident.
  • OnCall — Set to true to assign only the user that is currently on shift. Requires Cortex XSOAR v5.5 or later.
  • SocEmailAddress — The SOC team's email address.
  • SocMailSubject — The subject of the email to send to the SOC.
  • SiemAdminEmailAddress — The SIEM admin's email address.
  • UseCalculateSeverity — Determines whether to use the Calculate Severity playbook to calculate the incident severity. If the playbook isn't used, the severity is determined by the QRadar magnitude value.
  • SiemAdminMailSubject — The subject of the email to send to the SIEM admin.
  • UseCustomSeveritySettings — Determines whether to use the default mapping in the QRadar generic mapper to set the XSOAR incident severity, or set the severity using the FieldToSetSeverityFrom and ScaleToSetSeverityFrom playbook inputs. Any value other than false is considered as true and causes the playbook inputs to be used.
  • FieldToSetSeverityFrom — Specifies the field to use for calculating the incident severity, for example the severity field.
  • ScaleToSetSeverityFrom — The range of values of FieldToSetSeverityFrom is 1-10. The XSOAR incident severity field value range is 0-4 where 0 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical The scale translates the value of FieldToSetSeverityFrom to a valid incident severity value. The default scale is 1,1,1,2,2,2,2,3,3,3 This means that values 1-3 of FieldToSetSeverityFrom are translated to low severity (positions 1-3 in the scale), values 4-7 are translated to medium severity (positions 4-7 in the scale) and values 8-10 are translated to high severity (positions 8-10 in the scale).
  • RunAdditionalSeach — By default the incident fetches the events defined in the integration instance settings (default is 20 events). To fetch additional events, change this setting to true.
  • MaxLogsCount — Maximum number of log entires to query from QRadar. Used for the QRadar - Get Offense Logs subplaybook.
  • GetOnlyCREEvents — If this value is "OnlyCRE", get only events made by CRE. Values can be "OnlyCRE", "OnlyNotCRE", "All". Used for the QRadar - Get Offense Logs subplaybook.
  • Fields — A comma-separated list of extra fields to get from each event. You can use different fields or rename the existing fields. Used for the QRadar - Get Offense Logs subplaybook.
  • IndicatorTag — The tag to provide for true positive indicators, for example to use the indicators in an EDL (External Dynamic List).
  • ExcludeIndicatorsInXSOAR — If this value is not false, add indicators to the XSOAR exclude list. The excluded indicators won't be created in XSOAR anymore.

Commands used

closeInvestigation excludeIndicators extractIndicators send-mail setIncident setIndicator

Flowchart

yes False Positive True Positive yes yes yes use custom yes yes yes yes Start Start Should indicators be extracted and enriched? Should indicators be extr... Start Remediation SLA Timer Start Remediation SLA Timer Enrich Data Enrich Data Manually review the incident Manually review the incident Close investigation - closeInvestigation Close investigation closeInvestigation Extract indicators from incident - extractIndicators Extract indicators from i... extractIndicators Done Done Send investigation report to SOC - send-mail Send investigation report... send-mail Was this a true positive? Was this a true positive? Generate Investigation Summary Report - GenerateInvestigationSummaryReport Generate Investigation Su... GenerateInvestigationSummaryR... Use Calculate Severity? Use Calculate Severity? Was the SOC email address provided? Was the SOC email address... Was the SIEM admin email address provided? Was the SIEM admin email ... Assign an analyst to the incident - AssignAnalystToIncident Assign an analyst to the ... AssignAnalystToIncident XSOAR Exclude Indicators XSOAR Exclude Indicators Provide data for rule adjustment Provide data for rule adj... Determine incident severity according to offense info - setIncident Determine incident severi... setIncident Investigation Investigation Set as false positive - setIncident Set as false positive setIncident SIEM Admin SIEM Admin SOC Summary SOC Summary Calculate Severity - Standard - Calculate Severity - Standard Calculate Severity - Stan... Calculate Severity - Standard Use custom severity? Use custom severity? Run additional searches? Run additional searches? QRadar - Get Offense Logs - QRadar - Get Offense Logs QRadar - Get Offense Logs QRadar - Get Offense Logs Any indicators to tag? Any indicators to tag? Tag Indicators - setIndicator Tag Indicators setIndicator Is Indicator exclusion allowed in XSOAR? Is Indicator exclusion al... Any indicators to exclude? Any indicators to exclude? True/False Positive tuning True/False Positive tuning Exclude Indicators - excludeIndicators Exclude Indicators excludeIndicators Select indicators to exclude Select indicators to exclude Provide closing reason and tag indicators Provide closing reason an... Set closing reason - setIncident Set closing reason setIncident Send email to SIEM admin Send email to SIEM admin Entity Enrichment - Generic v3 - Entity Enrichment - Generic v3 Entity Enrichment - Gener... Entity Enrichment - Generic v3